What is the default behavior of FortiGate if RPF checking is enabled?

When Reverse Path Forwarding (RPF) checking is enabled on a FortiGate device, it requires that incoming packets must be received on the same interface through which the device would normally forward packets to the source address of the incoming traffic. This is designed to prevent IP address spoofing and ensure that packets are only accepted if there is a valid route back to the source of the packet through the same interface.

This mechanism helps maintain the integrity of the network by ensuring that packets follow the expected paths and helps in the detection of misconfigured devices or potential attacks. In environments where RPF checking is enforced, if a packet arrives on an interface but does not have a corresponding route that matches the expected interface for outgoing traffic, FortiGate will drop those packets. Hence, requiring packets to return through the same interface aligns with the expected routing behavior that RPF checking enforces.